MySQL Security Best Practises
-
Upload
mark-swarbrick -
Category
Technology
-
view
106 -
download
1
Transcript of MySQL Security Best Practises
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLSecurity:BestPracGcesMarkSwarbrickPrinciplePresalesConsultantUk&I
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
SafeHarborStatementThefollowingisintendedtooutlineourgeneralproductdirecGon.ItisintendedforinformaGonpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfuncGonality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,andGmingofanyfeaturesorfuncGonalitydescribedforOracle’sproductsremainsatthesolediscreGonofOracle.
ConfidenGal–OracleInternal/Restricted/HighlyRestricted 2
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
43%ofcompanieshaveexperiencedadatabreachinthepastyear.Source:PonemonInsGtute,2014
OracleConfidenGal–Internal/Restricted/HighlyRestricted 3
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MegaBreaches
552MillionidenGGesexposedin2013.493%increaseoverpreviousyear 77%WebsiteswithvulnerabiliGes.
1-in-8ofallwebsiteshadacriGcalvulnerability.
8Breachesthatexposedmorethan10millionrecordsin2013.
TotalBreachesincreased62%in2013
OracleConfidenGal–Internal/Restricted/HighlyRestricted 4
Source:InternetSecurityThreatReport2014,Symantec
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
• PoorConfiguraGons– Setcontrolsandchangedefaultse_ng
• OverPrivilegedAccounts– PrivilegePolicies
• WeakAccessControl– DedicatedAdministraGveAccounts
• WeakAuthenGcaGon– StrongPasswordEnforcement
• WeakAudiGng– Compliance&AuditPolicies
• LackofEncrypGon– Data,Backup,&NetworkEncrypGon
• ProperCredenGal&KeyManagement– Usemysql_config_editor,KeyVaults
• UnsecuredBackups– EncryptedBackups
• NoMonitoring– SecurityMonitoring,Users,Objects
• PoorlyCodedApplicaGons– DatabaseFirewall
5
DatabaseVulnerabiliGes
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
DatabaseAiacks• SQLInjecGon
– PrevenGon:DBFirewall,WhiteList,InputValidaGon
• BufferOverflow– PrevenGon:FrequentlyapplyDatabaseSolwareupdates,DBFirewall,WhiteList,InputValidaGon
• BruteForceAiack– PrevenGon:lockoutaccountsaleradefinednumberofincorrectaiempts.
• NetworkEavesdropping– PrevenGon:RequireSSL/TLSforallConnecGonsandTransport
• Malware– PrevenGon:TightAccessControls,LimitedNetworkIPaccess,Changedefaultse_ngs,EncrypGon
6
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
DatabaseMaliciousAcGons• InformaGonDisclosure:ObtaincreditcardandotherpersonalinformaGon
– Defense:EncrypGon–DataandNetwork,TighterAccessControls
• DenialofService:Runresourceintensivequeries– Defense:ResourceUsageLimits–Setvariouslimits–MaxConnecGons,Sessions,Timeouts,…
• ElevaGonofPrivilege:RetrieveanduseadministratorcredenGals– Defense:StrongerauthenGcaGon,AccessControls,AudiGng
• Spoofing:RetrieveanduseothercredenGals– Defense:Strongeraccountandpasswordpolicies
• Tampering:Changedatainthedatabase,DeletetransacGonrecords• Defense:TighterAccessControls,AudiGng,Monitoring,Backups
7
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
RegulatoryCompliance• RegulaGons
– PCI–DSS:PaymentCardData– HIPAA:PrivacyofHealthData– SarbanesOxley:AccuracyofFinancialData– EUDataProtecGonDirecGve:ProtecGonofPersonalData– DataProtecGonAct(UK):ProtecGonofPersonalData
• Requirements– ConGnuousMonitoring(Users,Schema,Backups,etc)– DataProtecGon(EncrypGon,PrivilegeManagement,etc.)– DataRetenGon(Backups,UserAcGvity,etc.)– DataAudiGng(UseracGvity,etc.)
8
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
PCI-DSS• Requirement2:SecureConfiguraGons,SecuritySe_ngs&Patching
– NotUsingVendorDefaultPasswordsandSecuritySe_ngs
• Requirement3:ProtecGngCardholderData–StrongCryptography– ProtectStoredCardholderData– ProtectEncrypGonKeys
• Requirement6:UptoDatePatchingandSecureSystems– DevelopandMaintainSecureSystemsandApplicaGons
• Requirement7:UserAccessandAuthorizaGon– RestrictAccesstoCardholderDatabyNeedtoKnow
• Requirement8:IdenGtyandAccessManagement– IdenGfyandAuthenGcateAccesstoSystemComponents
• Requirement10:Monitoring,TrackingandAudiGng– TrackandMonitorAccesstoCardholderData
9
WhitePaper
AGuidetoMySQL
andPCICompliance
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
DBAResponsibiliGes• Ensureonlyuserswhoshouldgetaccess,cangetaccess• LimitwhatusersandapplicaGonscando• LimitfromwhereusersandapplicaGonscanaccessdata• Watchwhatishappening,andwhenithappened• Makesuretobackthingsupsecurely• Minimizeaiacksurface• EnsureencrypGonkeysareprotectedandmanaged
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.| OracleConfidenGal–Internal 11
MySQLSecurityOverviewAuthenGcaGon
AuthorizaGon
EncrypGon
Firewall
MySQLSecurity
AudiGng
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
BlockThreats
AudiGng
RegulatoryCompliance
LoginandQueryAcGviGes
SSL/TLS
Public/PrivateKey
TransparentEncrypGon
KeyManagement
PrivilegeManagement
AdministraGon
Database&Objects
ProxyUsers
MySQL
Linux/LDAP
WindowsAD
Custom
OracleConfidenGal–Internal 12
MySQLSecurityOverview
AuthorizaGonAuthenGcaGon
Firewall&AudiGngEncrypGon
Security
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLAuthorizaGon• AdministraGvePrivileges• DatabasePrivileges• SessionLimitsandObjectPrivileges• Finegrainedcontrolsoveruserprivileges
– CreaGng,alteringanddeleGngdatabases– CreaGng,alteringanddeleGngtables– ExecuteINSERT,SELECT,UPDATE,DELETEqueries– Create,execute,ordeletestoredproceduresandwithwhatrights– Createordeleteindexes
13
SecurityPrivilegeManagementinMySQLWorkbench
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLAuthenGcaGon• BuiltinAuthenGcaGon
– usertablestoresusersandencryptedpasswords
• X.509– ServerauthenGcatesclientcerGficates
• MySQLNaGve,SHA256Passwordplugin– NaGveusesSHA1orpluginwithSHA-256hashingandperusersalGngforuseraccountpasswords.
• MySQLEnterpriseAuthenGcaGon– MicrosolAcGveDirectory– LinuxPAMs(PluggableAuthenGcaGonModules)
• SupportLDAPandmore
• CustomAuthenGcaGon
14
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLPasswordPolicies• AccountswithoutPasswords
– Assignpasswordstoallaccountstopreventunauthorizeduse• PasswordValidaGonPlugin
– EnforceStrongPasswords• PasswordExpiraGon/RotaGon
– Requireuserstoresettheirpassword• Accountlockout(inv.5.7)
15
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEncrypGon• SSL/TLSEncrypGon
– BetweenMySQLclientsandServer– ReplicaGon:BetweenMaster&Slave
• DataEncrypGon– AESEncrypt/Decrypt
• MySQLEnterpriseTDE– TransparentDataEncrypGon– KeyManagement(KMIP)
16
• MySQLEnterpriseEncrypGon– AsymmetricEncrypt/Decrypt– GeneratePublicKeyandPrivateKeys– DeriveSessionKeys– DigitalSignatures
• MySQLEnterpriseBackup– AESEncrypt/Decrypt
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
DatabaseFirewall• SQLInjecGonAiacks
– #1WebApplicaGonVulnerability– 77%ofWebSiteshadvulnerabiliGes
• MySQLEnterpriseFirewall– Monitordatabasestatementsinreal-Gme– AutomaGcWhiteList“rules”generaGonforanyapplicaGon– BlockSQLInjecGonAiacks– IntrusionDetecGonSystem
17
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
DatabaseAudiGng• AudiGngforSecurity&Compliance
– FIPS,HIPAA,PCI-DSS,SOX,DISASTIG,…• MySQLbuilt-inlogginginfrastructure:
– generallog,errorlog• MySQLEnterpriseAudit
– GranularitymadeforaudiGng– Canbemodifiedlive– ContainsaddiGonaldetails– CompaGblewithOracleAuditVault.
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.| OracleConfidenGal–Internal 19
MySQLDatabaseHardeningUserManagement
• RemoveExtraAccounts
• GrantMinimalPrivileges
• Auditusersandprivileges
ConfiguraGon• Firewall• AudiGngandLogging• LimitNetworkAccess
• Monitorchanges
InstallaGon• Mysql_secure_installaGon
• KeepMySQLuptodate
• MySQLInstallerforWindows
• Yum/AptRepository
Backups
• MonitorBackups
• EncryptBackups
EncrypGon• SSL/TLSforSecureConnecGons
• DataEncrypGon(AES,RSA)• TDE
Passwords• StrongPasswordPolicy• Hashing,ExpiraGon• PasswordValidaGonPlugin
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQL5.7LinuxPackages-SecurityImprovements• Test/Demodatabasehasbeenremoved
– Nowinseparatepackages
• AnonymousaccountcreaGonisremoved.
• CreaGonofsinglerootaccount–localhostonly• DefaultinstallaGonensuresencryptedcommunicaGonbydefault– AutomaGcgeneraGonofSSL/RSACerts/Keys
• ForEE:AtserverstartupifopGonsCerts/Keyswerenotset
• ForCE:Throughnewmysql_ssl_rsa_setupuGlity
• AutomaGcdetecGonofSSLCerts/Keys
20
• ClientaiemptssecureTLSconnecGonbydefault
• CompileGmerestricGonoverlocaGonusedfordataimport/exportoperaGons
• EnsureslocaGonhasrestrictedaccess• Onlymysqluserandgroup
• Supportsdisablingdataimport/export
• Setsecure-file-privtoemptystring
MySQLInstallerforWindowsincludesvariousSecuritySetupandHardeningSteps
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseEdiGon• MySQLEnterpriseAuthenGcaGon
– ExternalAuthenGcaGonModules• MicrosolAD,LinuxPAMs
• MySQLEnterpriseEncrypGon– Public/PrivateKeyCryptography– AsymmetricEncrypGon– DigitalSignatures,DataValidaGon
• MySQLEnterpriseFirewall– BlockSQLInjecGonAiacks– IntrusionDetecGon
• MySQLEnterpriseAudit– UserAcGvityAudiGng,RegulatoryCompliance
21
• MySQLEnterpriseMonitor– ChangesinDatabaseConfiguraGons,UsersPermissions,DatabaseSchema,Passwords
• MySQLEnterpriseBackup– SecuringBackups,AES256encrypGon
• MySQLEnterpriseTDE– AES256encrypGon– KeyManagement
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseMonitor• EnforceMySQLSecurityBestPracGces
– IdenGfiesVulnerabilGes– Assessescurrentsetupagainstsecurityhardeningpolicies
• Monitoring&AlerGng– UserMonitoring– PasswordMonitoring– SchemaChangeMonitoring– BackupMonitoring
– ConfiguraGonManagement– ConfiguraGonTuningAdvice
• CentralizedUserManagement
22
"IdefinitelyrecommendtheMySQLEnterpriseMonitortoDBAswhodon'thaveatonofMySQLexperience.ItmakesmonitoringMySQLsecurity,performanceandavailabilityveryeasytounderstandandtoacton.”
SandiBarrSr.SolwareEngineer
SchneiderElectric
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseFirewall• BlockSQLInjecGonAiacks
– Allow:SQLStatementsthatmatchWhitelist– Block:SQLstatementsthatarenotonWhitelist
• IntrusionDetecGonSystem– Detect:SQLstatementsthatarenotonWhitelist
• SQLStatementsexecuteandalertadministrators
23
Select *.* from employee where id=22
Select *.* from employee where id=22 or 1=1Block✖
Allow✔
WhiteListApplica6ons
Detect&AlertIntrusionDetecGon
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseAuthenGcaGon
24
• IntegratewithCentralizedAuthenGcaGonInfrastructure– CentralizedAccountManagement– PasswordPolicyManagement– Groups&Roles
• PAM(PluggableAuthenGcaGonModules)– Standardinterface(Unix,LDAP,Kerberos,others)– Windows
• AccessnaGveWindowsservice-UsetoAuthenGcateusersusingWindowsAcGveDirectoryortoanaGvehost
IntegratesMySQLwithexisGngsecurityinfrastructures
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseEncrypGon• MySQLencrypGonfuncGons
– SymmetricencrypGonAES256(AllEdiGons)– Public-key/asymmetriccryptography–RSA
• KeymanagementfuncGons– Generatepublicandprivatekeys– Keyexchangemethods:DH
• SignandverifydatafuncGons– Cryptographichashingfordigitalsigning,verificaGon,&validaGon–RSA,DSA
25
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
DatabaseAudiGng
• “Trustbutverify"approachtosecurity– Ensureuserswithstrongprivilegesdon’tmisusethoseprivileges
• BusinessAudit–DataValidity– Here’sproofmydatabasedataisaccurate/correct– Provenotamperingtodatahasoccurred
• Forensicanalysis–asacomponentofanydefense-in-depthstrategy– ProacGve-Ambeing/Washacked– ReacGve–Howwerewehacked,whatwaschanged,taken,etc.
26
MaintaininganaudittrailisanessenGalsecuritybestpracGce
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseAudit• Out-of-the-boxloggingofconnecGons,logins,andquery• Simpletofinegrainedpoliciesforfiltering,andlogrotaGon• Dynamicallyenabled,disabled:noserverrestart• XML-basedauditstream
– Senddatatoaremoteserver/auditdatavault• OracleAuditVault• Splunk,etc.
27
Adds“regulatorycompliance”
toMySQLapplicaGons(HIPAA,Sarbanes-Oxley,PCI,etc.)
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseBackup• OnlineBackupforInnoDB(scriptableinterface)• Full,Incremental,ParGalBackups(withcompression)• StrongEncrypGon(AES256)• PointinTime,Full,ParGalRecoveryopGons• Metadataonstatus,progress,history• Scales–HighPerformance/UnlimitedDatabaseSize• Windows,Linux,Unix• CerGfiedwithOracleSecureBackup,NetBackup,Tivoli,others
28
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseOracleCerGficaGons• OracleEnterpriseManagerforMySQL
• OracleLinux(w/DRBDstack)• OracleVM• OracleSolaris• OracleSolarisClustering• OracleClusterware
• OracleAuditVaultandDatabaseFirewall• OracleSecureBackup• OracleFusionMiddleware• OracleGoldenGate• MyOracleSupport
MySQLintegratesintoyourOracleenvironment
29
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
OracleAuditVaultandDatabaseFirewall• OracleDBFirewall
– Oracle,MySQL,SQLServer,IBMDB2,Sybase– AcGvityMonitoring&Logging– WhiteList,BlackList,ExcepGonList
• AuditVault– Built-inComplianceReports– Externalstorageforauditarchive
30